International Journal of Accounting Information Systems

5 (2004) 89 – 99

Director responsibility for IT governance

Gerald Trites *
Department of Business Administration, St. Francis Xavier University, Antigonish, NS, Canada B2G 2W5
Received 31 March 2003; received in revised form 30 November 2003; accepted 1 January 2004
Available online

Abstract

Recent emphasis on corporate governance has raised the level of interest in and concern about
directors’ responsibilities. It has become much more critical for directors and others to know more
precisely what their responsibilities are and how they might be discharged. This has been apparent in
the area of internal controls, where directors have long held certain responsibilities, but where those
responsibilities are now being redefined through such means as the Sarbanes – Oxley act [Sarbanes
Oxley Act of 2002, Public Law 107 – 204, 107th Congress, USA] and regulatory actions related to
corporate governance issues.
Information technology (IT) plays a serious role in any modern business system, and therefore, IT
considerations play an important part in the controls that are necessary to preserve and protect
corporate assets from misappropriation, loss and misuse. However, many, if not most, directors do
not have a strong understanding of the controls issues raised by IT and do not even know what
questions they should ask to place themselves in a position to address their responsibilities.
Recognizing this issue, in January 2002, The Information Technology Advisory Committee
(ITAC) of the Canadian Institute of Chartered Accountants released a brochure called 20 Questions
Directors Should Ask About IT to assist corporate directors in the discharge of their responsibilities.
The document is also intended to be helpful to audit and IT steering committees. Audit committees,
of course, are comprised of directors with a particular responsibility in the control area. They usually
discharge these responsibilities by interviewing the external and internal auditors as well as key
members of management. Again, the steering committee members need to understand what
questions to ask in these interviews about IT. In addition, some of the questions will find their way
back to such groups as IT steering committees, and the brochure was therefore directed to them as
well.
The purpose of this paper is to explore the responsibilities that are implicit or explicit in the ITAC
brochure, to consider how the questions suggested therein relate to those responsibilities and finally
assess the direction in which director responsibilities for IT seem to be going as a result of current

* Tel.: +1-902-867-5410; fax: +1-902-867-5385.

E-mail address: gtrites@stfx.ca (G. Trites).

1467-0895/$ - see front matter D 2004 Elsevier Inc. All rights reserved.
doi:10.1016/j.accinf.2004.01.001
90 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99

events. A summary of the questions included in the ITAC brochure is included at the end of this
paper for reference purposes.
D 2004 Elsevier Inc. All rights reserved.

Keywords: Director; Responsibility; IT governance

1. General observations

At least three observations are readily apparent from a reading of the questions. One is
that they all give recognition to the fact that it is the management who is responsible for
managing the enterprise. Therefore, it is the management who can be expected to initiate
and monitor the ongoing processes in the organization involving information technology
(IT). The questions consistently ask ‘‘Does management have - - ’’ or ‘‘have appropriate
procedures been established - - ’’ or ‘‘Has management ensured - - ’’. These questions
make it clear that the prime responsibility rests with the management to implement the
necessary procedures. The board member needs to determine that the management has
done so—that the procedures are in place.
This leads to a second issue. If the board member needs to ensure that procedures are in
place, is simply asking the management enough? Or is there an onus on the director to
seek out some evidence or corroboration? An immediate answer to this question might be
in the negative. The need to check whether procedures are in place is normally the domain
of the auditors, both internal and external. The directors do not need to perform audits.
Nevertheless, it is probably reasonable to expect that the directors could be held to some
level of duty of care in making their queries and considering the responses. Moreover, if
the directors are to perform an effective oversight role with regard to management, they
would be remiss to simply rely on the representations of management, no matter how
honest and reliable the management might be. Therefore, some corroborating evidence
would be essential.
A third observation that can be made is that words like ‘‘appropriate’’ and
‘‘effective’’ are used in many of the questions, implying that establishing the mere
existence of a set of processes or procedures is not enough. They must not only exist,
they must be appropriate or effective. Again, the directors can only meet their
responsibilities by asking questions, but this time, the questions need to be more
penetrating. True, they could order up a special report by outside independent advisors
or consultants, and this is sometimes done, but it is expensive and time consuming and,
in any event, does not remove the directors’ responsibilities but simply represents a
means of addressing them. Again, there would be a need for corroborating evidence to
meet these responsibilities.
Here, there arises a question as to whether the directors have the expertise to evaluate
whether the procedures in place are appropriate or effective. Even IT specialists would
need to do a considerable amount of work to be able to make such an evaluation.
Moreover, the directors are generally not appointed because of their expertise in
evaluating controls, but rather to bring to bear their extensive business knowledge and
 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99 91

mature judgment. Accordingly, it would be reasonable to conclude that they would not be
held to the duty of care of a controls specialist, but rather to the good common sense that
one would expect to be demonstrated by a competent and experienced business person.
This would indicate that they would be entitled to rely on others, such as management and
auditors, to determine whether the procedures in place are appropriate and effective.
Normally, the auditors carry out such work and report to the management and the audit
committee on the results. It is essential, however, that the audit committee asks
penetrating questions about this work on behalf of the other directors to satisfy their
responsibilities.

2. Board responsibilities for IT

According to the Dey Report, the general responsibilities of the Board of Directors are
to ‘‘supervise the management of the business’’.1 TSE Regulations included this principle
in their rules, which were released after the release of the report. A subsequent report of the
Joint Committee on Corporate Governance, sponsored by the CICA, the TSX and the
TSE, called Beyond Compliance-Building a Compliance Culture, issued in December
2001, also included this principle and made specific reference to the responsibilities of a
Board of Directors as including an oversight role with regard to the:

 strategic planning process, approval of strategic plans and monitoring performance

against plans;
 policies and processes to ensure the integrity of internal control and management
information systems; and
 policies and processes that (1) identify business risks and the level of risk that is
acceptable to the corporation and (2) ensure that systems and actions are in place to
monitor risk.

These recommendations were general in application and not IT specific. However,

all of these areas of responsibility have IT content. Strategic planning of virtually all
corporations must include planning with regard to the use of technology, and in so
doing, must include safeguards to protect the organization from the risks arising from
the use of technology. The integrity of internal control and management information
systems, of course, has a very high IT content. Finally, the risks for which the
directors must review policies and procedures would need to include the risks related
to IT. Accordingly, the analysis in this paper will proceed along the lines of these
three categories of responsibilities—strategic planning, internal control and business
risk.
We have already established that in each of these areas, the directors must determine
that procedures are in place, that the procedures are appropriate and that they must obtain

1
Dey Report – ‘‘Where were the Directors?’’, Toronto Stock Exchange, December, 1994.
92 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99

Exhibit 1. Grid of director responsibilities.

corroborating evidence. This leads to a grid of responsibilities, which is illustrated in

Exhibit 1.

3. Strategic planning

The strategic planning category in the Joint Report includes the strategic planning
process, the approval of strategic plans and the process of monitoring results against the
plans. These three components cover considerable ground. The process itself includes the
approval and monitoring processes, but is more encompassing. The specific inclusion of
the approval and monitoring processes implies they are of particular importance and
cannot be overlooked by the directors.
Organizations approach strategic planning with regard to IT in different ways,
depending on how extensive their IT is in their organization and how important it is to
their strategic objectives. Clearly, some companies place more dependency on IT than
others do and therefore must plan their IT strategy more carefully. This would be a
judgment that the directors would have to make. Is the right emphasis being placed on IT
in the strategic planning process? Their general knowledge of the business would help in
making this decision. The extent to which the business is engaged in e-business would
also determine the dependency on technology. E-business often involves the use of the
Internet, which requires additional security measures. This is an area that the directors
need to explore, and the Information Technology Advisory Committee (ITAC) document
contains questions specifically pertaining to the extent to which the risks and controls
 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99 93

related to e-business have been evaluated and whether there is adequate protection from
hackers.
In addition, the directors would need to have some idea of the technology that is
available and whether new technologies are being considered by the company. This area is
addressed in the second ITAC question, which asks whether there is a process in place for
the company to keep up with current technological trends.
The directors cannot be expected to become experts in technology or current IT trends.
Their prime focus must be to determine whether there are processes in place for the
company to monitor such trends and to consider new technological developments in their
strategic initiatives. However, to understand the answers to questions in this area, the
directors need to have enough knowledge to be able to assess the answers to the questions.
To do so, they would need to interview senior executives in charge of IT and solicit
reports, with enough technology content to be able to make these judgments, from these
executives. For many directors, this is a learning exercise. Corroborating evidence could
be sought from auditors and other non-IT executives. Thus, while the prime objective of
the directors is to establish that management has in place procedures to track IT trends,
nevertheless, it follows that there must be some knowledge transfer to the directors about
these trends in order for them to be able to satisfy their evaluative responsibilities. In
addition, it would be reasonable to expect that they have a responsibility to make sure that
this knowledge transfer takes place.
Included within strategic issues in the ITAC document is the area of resources, as
reflected in the availability of personnel, as well as outsourcing. Taking the latter first,
outsourcing has become a common approach to having various business processes carried
out. Sometimes, organizations will outsource large chunks of their processing capability.
In other cases, they will outsource to obtain storage capacity or system recoverability
capability.
It is clear that outsourcing does not relieve the management or the directors of any
responsibility. Indeed, it adds to the complexity of their responsibilities because they have
delegated certain responsibilities to others but must remain accountable and, therefore,
must ensure that the outsourcers have good internal control systems and the capability to
safeguard their assets, which would, of course, include data. This means that the directors
have a responsibility to ensure that the management has taken the steps to manage these
relationships that they have entered into.
There may be an inverse relationship of any outsourcing activity with the responsibil-
ities of management to maintain good personnel resources that can continue to effectively
execute the programs required in the company. If the organization is outsourcing, there
may be a possibility that the personnel are not available and are not being developed for
the future. This is a possibility that should not be ignored in evaluating the relationship of
personnel maintenance with outsourcing practices. It does not mean that outsourcing is
necessarily bad, just that there are risks in terms of the sustainability of a level of IT
expertise within an organization.
IT personnel tend to be highly educated and skilled. In addition, they need
continuing training to keep up with new technologies and practices. An organization
needs to have systems in place that feed these needs, and it is the responsibility of
management to put them in place and of the directors to ensure that the management has
94 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99

done so. Generally, directors interview the senior executives in an organization to enquire
about these matters. They will also ask internal and external auditors and others about these
issues.

4. Internal control

The questions in the ITAC document around internal control really address two major
issues—is there a structure in place that adequately governs the use of IT in the
organization and how does management extend this structure into the rest of the
organization by letting them know of the policies of the organization with regard to the
organization. The actual business of establishing these policies is left to a discussion below
under Business Risk.
In July 1998, the Canadian Institute of Chartered Accountants (CICA) published the
third edition of its seminal work on IT controls, Information Technology Control Guide-
lines (ITCG), which set out a comprehensive approach to managing the control functions
in an organization. One of the fundamental precepts of this volume was that the activities
related to security and control are related to various roles within the organization. It is the
roles to which the personnel are assigned that determines the effectiveness of the controls,
not the actual positions themselves. The reason for this emphasis was that companies
continually change their business processes, allocating specific activities to persons within
an organization that previously had no such activities to carry out. Therefore, activities that
are key to an IT control system might have once been carried out by IT personnel but now
are carried out by sales department personnel.
One of the roles defined in ITCG is that of senior management, whose activities are
summarized as ‘‘approval of strategies, policies and standards; allocation of responsibil-
ities; development and approval of business plans.’’2 If we apply the principles discussed
so far in terms of the role of directors, then it would appear that the directors are
responsible for ensuring that the management is doing these things. They need to ask the
questions and seek the corroborating evidence to satisfy themselves as to these matters.
But the directors’ responsibility for internal control extends beyond this framework set
out in ITCG. The Dey Report and subsequent policies released by the securities regulators,
as well as established corporate practice, clearly support the fact that directors need to
determine that the management is taking the steps necessary to ensure a good system of
internal controls is in place. Normally, the responsibilities of the directors with regard to
internal control are discharged through the audit committee, which places a considerable
emphasis on its questioning of the internal and external auditors and their review of their
recommendations with regard to control issues. Generally, audit committees also conduct
follow-up discussions of the auditors’ recommendations in subsequent years to determine
the extent to which the recommendations have been adopted by the management.
This idea is also supported in ITCG, where it defines the purpose of audit committees
as ‘‘to review audit issues raised by internal and external audit functions and ensure that

2
ITCG (1998, p. 18).
 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99 95

appropriate management attention and resources are being invested in addressing areas of
concern.’’3
The questions in ITAC’s document under control issues address primarily the idea of
governance, with questions that deal with who has responsibility for IT governance,
whether they are at an appropriate level and how the employees are kept aware of security
policies.
These questions recognize that the organizational approach to IT security and controls
reflects the degree of commitment of the organization to establishing a control culture. If
there are high-level personnel—perhaps at the Vice-President level—in charge of IT, then
there is a greater likelihood that IT issues will be addressed by senior management. Hence,
the directors should rightfully be concerned about the organizational aspects of IT
management.
As indicated, the directors have a long established history of having some responsibility
for internal controls and have typically delegated this function to the audit committee.
However, their responsibilities now extend well beyond a narrow definition of controls,
into such areas as the investment of the organization of resources in the IT function and its
overall management of the function. Thus, it is wise for the board to consider assigning a
subcommittee to handle these responsibilities or, as a minimum, assign a specific director
to monitor this area and report back to the whole board. That is the basis for the questions
in the ITAC document.

5. Business risk

ITCG places a considerable emphasis on the idea of risk and the enterprise’s exposure
to it. Risk is defined as ‘‘any process, activity or event that can negatively influence the
successful, sustainable and ethical achievement of enterprise objectives’’.4 There is
explicit recognition in ITCG, however, that the objective of controls is not to eliminate
all risk—that this would be impracticable and unduly expensive. Rather, ITCG recognizes
that some risk must be borne and that it is the responsibility of management to decide how
much. One of the basic concepts defined in ITCG is that ‘‘exposure is the residual risk that
the enterprise is willing to accept in order to meet its objectives’’.5 Of course, this clearly
indicates that there must be an acceptance of some degree of risk in the enterprise.
‘‘Ultimate responsibility for risk acceptance rests with senior management and the Board
of Directors who should, as a minimum, explicitly establish and communicate the
enterprise’s tolerance for risk’’.6
The question as to how much risk to accept in one that is so fundamental to the overall
management and success of the organization that it pervades numerous areas, and it is
fundamental to many of the activities carried out by the directors. Risk tolerance is an area
that helps to set the tone and establish the culture of the organization and, at the same time,

3
ITCG (1998, p. 33).
4
ITCG (1998, p. 37).
5
ITCG (1998, p. 37).
6
ITCG (1998, p. 37).
96 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99

reflects the tone and culture being set by the senior management, something that Enron
and Worldcom have taught us that is very important indeed.
The questions in the ITAC document all essentially deal with the manner in which
management assesses risk. They imply that the risk assessment process must be
continuous, integrated with the decision making in the organization and linked with a
cost – benefit analysis of security measures. From a judgmental point of view, this is one of
the most difficult areas in which the directors have responsibility. No area is more subject
to the 20 –20 vision of a posttraumatic event scenario than the making of initial judgments
about risk.
To render their task manageable, the directors must focus on process, rather than
trying to second-guess the judgments of management. Has management established a
reasonable process? Is the process working? Do the auditors think it is working? Is it
good enough? Questions like this will pervade the work of the directors throughout their
work cycle. It remains reasonable to conclude, however, that the directors need to be
ready to make value judgments about the tone and culture of senior management,
especially in extreme circumstances. In the post-Enron/Worldcom environment, they
would be expected to do so.
The nature of the risks being faced is changing, not only with the type of intrusion
being used by hackers and the like, abut also with the extent to which the business is
dependent on technology. One of the rising and most expensive types of IT fraud is that of
denial of service attacks, which is highlighted in the 2003 Survey of the Computer
Security Institute and the FBI on Computer Crime and Security.7 One of the key findings
of that report was that ‘‘in a shift from previous years, the second most expensive
computer crime among survey respondents was denial of service, with a cost of
US$65,643,300.’’ ‘‘As in prior years, theft of proprietary information caused the greatest
financial loss ($70,195,900 was lost, with the average reported loss being approximately
$2.7 million).’’8
That this is a growing area reflects the increasing involvement of business in e-
business and the growing reliance on technology. It reflects the fact that the directors
need to approach IT investment, management and security as a fundamental driver for
business success and not as a service function that may or may not have an impact
on the ability of the organization to achieve its objectives. The ITAC document
speaks to these issues and, of course, incorporates questions directly relevant to the
idea of business continuity and business continuity plans, as well as system
availability.

6. Privacy and legal issues

As if all this were not enough, the directors also need to concern themselves with the
legal issues pertaining to the use of hardware and software, including such issues as

7
Computer Crime and Security Survey, Computer Security Institute and Federal Bureau of Investigation,
2003.
8
CSI/FBI 2003 Survey on Computer Crime and Security.
 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99 97

software licensing. This also is guided by the tone at the top and is an area that is impacted
by numerous other areas that the directors must monitor and explore.
A somewhat related area of risk is that of privacy, which also pervades other aspects of
the business. For example, a recent occurrence in Saskatchewan, where a hard disk went
missing for a time during a routine hardware upgrade and which contained some very
private data of customers, caused a considerable scare until it was fortunately found. One
of the issues in that situation was the security over hardware, another was the security
controls in place by the organization to which the hard disk was entrusted under an
outsourcing arrangement.
The case illustrated the interrelatedness of the various questions in the ITAC
document and points to one of the fundamental characteristics of the directors’
responsibilities in a post-Enron/Worldcom world. Clearly, each of the questions relate
to a set of responsibilities that must be satisfied, and the answers to the questions in
one area need to be considered in the context of the possible or likely impact on
other areas. They seek out a tone, an overall approach to risk, exposure, IT
management and IT investment that, in total, either amounts to a well-controlled
situation or does not.
That is the role of the directors, to ask the questions and come to a sufficient level of
comfort that the situation is well controlled, that the major players, such as senior
management and the auditors, are doing their job. The individual questions are important,
but perhaps, the most important aspect of all is the overall view of the organization that the
answers to those questions portray.

7. Summary and conclusions

It is abundantly clear that the responsibilities of the directors with regard to IT are
evolving and becoming more complicated. As IT becomes a much more central aspect
of most organizations than it was even 10 years ago, the responsibilities of the directors
have evolved from one of trying to assess the impact of specific technological issues
on the business to one of incorporating IT as a prime resource being used to achieve
business objectives. This is a dramatic shift, one that calls for new thinking by the
board and new approaches to evaluating this key aspect of an organization’s
management.

Appendix A . Summary of questions

A.1 . Strategic issues

I. Strategy and planning

1. Does management have a strategic information systems plan in place that is
monitored and updated as required? Does this plan form the basis for the annual
plans, annual and long-term budgets and the prioritization of information technology
projects?
98 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99

II. Technology trends

2. Have appropriate procedures been established to ensure that the organization is
aware of technology trends, periodically assessing them and taking them into consider-
ation when determining how it can better position itself?
III. Performance
3. Have key performance indicators and drivers of the IT department been determined?
Are they monitored from time to time and are they benchmarked against industry
standards?
4. How is the organization managing its relationships with third-party service
providers?
IV. Personnel
5. Does management have appropriate procedures to address information technology
employee turnover, training and project assignment?
6. How has management ensured that it has identified the required technology expertise
and how is top talent attracted and retained?

A.2 . Internal control issues

V. Governance
7. Has the board considered the creation of an IT subcommittee or assigned a board
member specific responsibility for the organization’s investment in, and use of, informa-
tion technology?
8. Who on the management team has responsibility for IT corporate governance? Is this
person in a sufficiently senior management position?
9. What is management doing to ensure that employees are aware of, and are in
compliance with, the company’s information and security policies?

A.3 . Risk issues

VI. Risk and security

10. Does management have a plan to periodically conduct risk assessments covering
the organization’s use of information technology, including internal systems and processes,
outsourced services and the use of third-party communications and other services? If it
does, are the results of the assessments acted on where appropriate or required?
11. How does management ensure data integrity, including relevance, completeness,
accuracy and timeliness, and its appropriate use within the organization?
12. What arrangements does the organization have for the regular review and audit of
its systems to ensure risks are sufficiently mitigated and controls are in place to support the
major processes of the business?
VII. Personal information privacy
13. Has the organization assigned someone the responsibility for privacy policy,
privacy legislation and compliance therewith?
14. Has the organization identified the various legislative and regulatory requirements
for protecting personal information and developed a policy and procedures for monitoring
compliance with them?
 G. Trites / Int. J. Account. Inf. Syst. 5 (2004) 89–99 99

VIII. E-business
15. If the organization uses e-business to buy or sell products or services, has there been
a specific review of the risks and controls over the e-business activities?
16. Are the organization’s e-business activities appropriately protected from external
attack by hackers or others that, if successful, would result in loss of customer satisfaction
or public embarrassment?
IX. Availability
17. Has the organization adopted formal availability policies? Has it implemented
effective controls to provide reasonable assurance that systems and data are available in
conformity with availability policies?
18. Does the organization understand the impact of an interruption in service and are
there plans in place to deal with potential interruptions? Has a business continuity plan
been adopted? If it has been adopted, is it tested regularly and are the results used to
improve the plan?
X. Legal issues
19. Has management considered and addressed legal implications that pertain to the use
of software, hardware, service agreements and copyright laws?
20. Have policies covering licences, agreements and copyright been formulated and
disseminated to all personnel?

References

‘‘Beyond Compliance: Building a Governance Culture’’. Final Report, Joint Committee on Corporate Gover-
nance, jointly released by the Canadian Institute of Chartered Accountants (CICA). The Canadian Venture
Exchange (CDNX) and the Toronto Stock Exchange (TSE); 2001 (December).
Computer Crime and Security Survey. Computer Security Institute and Federal Bureau of Investigation; 2003.
Information Technology Control Guidelines. 3rd ed. Canadian Institute of Chartered Accountants, Toronto; 1998
(July).
The Dey Report—‘‘Where were the Directors?’’ Toronto Stock Exchange; 1994 (December).